alloc - a request to "allocate" space in memory, in this case to track a connection - the opposite is dealloc

Cannot alloc conntrack means that the attempt to allocate memory to track a new network connection failed. Connections can mean a lot more than TCP connections. ICMP, SIP, and UDP can all count towards your limits. The June 2006 issue of ;login defines connection tracking like this:

Basically, the connection tracking system stores information about the state
of a connection in a memory structure that contains the source and destination IP addresses, port number pairs, protocol types, state, and timeout.
With this extra information, we can define more intelligent filtering policies.

Each new connection goes onto a connection tracking table which has a limited number of entries. If and when that connection table fills up, the oldest entry is dropped. This means that old connections may suddenly disconnect if too many connections are established.

There is a system tunable called nf_conntrack_max that defaults to 32767, if I've read around correctly. You can tune this to a larger number, like 65535 according to this page here at serverfault.com. (sysctl -w net.netfilter.nf_conntrack_max=65535) See the list of values in /proc/sys/net/netfilter.

That said, an article by Paul Roberts states that if the table was really filling up, you should see the message nf_conntrack: table full, dropping packet. So, given this, you may actually have a system with too much memory allocated for other things, and connection tracking is feeling the brunt of the shortage. Consider either shutting down a service or increasing the RAM. If you are in a limited memory scenario, you may need to look at symbol stripping and other tricks to get more memory available to you.